the Chromium logo

The Chromium Projects

Control Flow Integrity

We are planning to deploy Clang's control flow integrity mechanisms in Chrome.

The current status:

To build Chrome with control flow integrity for virtual calls, indirect calls, and bad casts (Linux x86_64 only):

gn gen out/cfi '--args=is_debug=false is_cfi=true use_cfi_icall=true use_cfi_cast=true use_thin_lto=true' --check**

ninja -C out/cfi chrome # Chrome will take 6 minutes or so to link.

Building with additional diagnostics:

gn gen out/cfi-diag '--args=is_debug=false is_cfi=true use_cfi_icall=true use_cfi_cast=true use_cfi_diag=true use_thin_lto=true' --check

ninja -C out/cfi-diag chrome # Chrome will take 6 minutes or so to link.

The deployment is being tracked here:

Meta bug: crbug.com/701937

Linux: crbug.com/464797

Android: crbug.com/469376

ChromeOS: crbug.com/537386

Diagnosing problems with the CFI instrumentation

By default, a program compiled with CFI will crash with SIGILL if it detects a CFI violation.

For better error messages (but not for production use) add use_cfi_diag=true to your args.gn

Indirect call failures

CFI indirect call (cfi-icall) failures are primarily caused by either bad functions casts or dynamically resolved function pointers:

Overhead (only tested on x64)

Trophies (bugs found or prevented)